Those persons responsible for computers and computer networks are becoming increasingly concerned about computer data security.
In some computing environments physical isolation of networks provides the greatest level of security for each network. An example of this is Department of Defence networks which are typically physically isolated from all other networks classified at a lower level.
However, there will always be good reason to have connections between networks, and at least in a defence environment it may be necessary to have a console or workstation used in an isolated network which can exchange information with another network which is less classified. There are also examples of this in the commercial world where companies dealing with commercially sensitive information also require one or more consoles or workstations in their network to be connected to industry LANS and WANS and increasingly with the Internet.
It is generally accepted that if networks of different classification are allowed to be connected, flow of information from a computer working in a lower classified network to a computer working in the higher classified network is allowed. It is flow from the higher classified network to the lower classified network which requires restrictions. A well-known example of such a policy is the Bell & La Padula security policy.
One such arrangement is depicted in FIG. 2, where information transfer from a higher classified network to a lower classified network is only permitted by the arrangement if an authorised sender applies a unique seal to the information. A gateway device located at the junction point of the lower and higher classified networks only allows properly sealed information to pass to the lower classified network. The gateway ensures that the seal is legitimate and audits the information transfer.
This approach has many disadvantages which largely affect the ease of use and cost of such a network which typically require expensive custom workstations or additional trusted elements which can seal and if necessary encrypt the information and/or seal.
This invention eliminates or reduces these problems and can in certain circumstances work with this arrangement.
It is also not unreasonable for users of a higher classified network to want access to lower classified networks to upload information or remotely login to the other network and use the facilities available on that lower classified network such as for example the Internet. This type of use involves the user of the higher classified network typing commands on their normal workstation which then displays information obtained from the lower classified network.
Australian Patent No AU 663406 to Secure Computing Corporation discloses a method and apparatus for ensuring secure communications over an unsecured communications medium between a user working on an unsecured workstation and a remote host computer. A secure user interface is created by inserting a trusted path subsystem between input/output devices to the workstation and the workstation itself. This patent however has a number of critical differences of approach to that of the subject invention.
Most importantly the secure user interface of AU 663406 must use a cryptographic entity located in the user interface to encrypt and decrypt all information passing through the interface. The secure user interface does not allow the free flow of information from the network having a lower security to the network having a higher security. The remote host computer must have a trusted subsystem and a cryptographic entity having corresponding encryption and decryption facilities to that in the secure user interface. The secure user interface must have a video manager which creates a "trusted" window generated by a video RAM which always processes information which has been decrypted in the secure user interface.
As will be described in this specification much greater ease of use, simpler design and avoidance of cryptographic entities can be achieved with a different approach to dealing with information being input by a user or computer device and with information sourced from the lower classified network.
The inventors recognised that the junction point of the two or more networks having different security levels can exist at one and/or more selected workstations or computer information processing devices located either in the higher classified network or external to it and that by allowing the flow of information from the lower classified network to the higher classified, networks can thus be connected relatively easily. The invention can assure the user entering (by way of typing for example) higher classified information, that information is being input to the higher classified network and no other and furthermore that the lower classified network is not able to down load information from the higher classified network at any time.